Problem solve Get help with specific problems with your technologies, process and projects.

IT business justification to limit network access

Are you hoping to limit network access at your organization, but aren't sure how to go about creating an IT business justification for a proxy server? In this expert response, Randall Gamby explains what a proxy server can do, including how to explain its value to executives.

We are working on implementing Web filtering and access control. As part of this project I believe we should add a proxy server to our network (ISA 2006) so that we can use Active Directory and Group Policy to manage who can and cannot access the Internet. The director of IT doesn't see a value in this and is only looking at the additional cost. So the question is: Should we use proxy servers as part of our access control project? Do the benefits outweigh the costs? If so, how do we go about demonstrating that?

I personally like proxy services for the data leakage protection they provide. As most industry analysts will tell...

you, the threat of embedded email viruses has shifted to compromised websites where malware is loaded onto an employee's PC or the employee is tricked into giving up passwords or IDs. Because of this, organizations are limiting social networking sites like Facebook, MySpace or Twitter, which have become territorial hunting grounds for the makers of Trojans and other malware. (However, be aware that management executives see the possibilities of social networking for business use and are considering opening access to them in order to leverage these sites for commerce.)

Limiting access to the network can have other benefits, such as preventing sensitive information from exiting the company through unauthorized sources (like exiting employees), preventing employees from accessing other unauthorized sites and services, preventing Trojans and other malware that have already crept into your organization from sending data out to cybercriminals, and limiting bandwidth utilization to key personnel and applications.

In addition, be aware that tying network protection tools to identity management protection tools (for example, tying Active Directory to Group Policy) will incur a higher level of administrative burden on the organization (not to mention that the repository schema must be extended and the data inputted and maintained correctly, which may be a project in and of itself).

As far as business justification for these services goes, it depends on your organization's sensitivity to risk. Some organizations inherently trust that their workers are knowledgeable, ethical and careful when using the Internet, while other organizations believe that taking away the temptation of the Internet is the safest action for their general populations. As such, selling protection services will be more difficult in the first organization and easier in the second. Also, it's not a good idea to spread fear, uncertainty and doubt (FUD), so selling the concept of proxy services as added protection should be done with sensitivity to your management's feelings about the possibility of breaches and unauthorized disclosures of information. And of course, educating your management on what proxy services do and their business value in the reduction of identity theft and fraud is a good place to start.

Proxy services are becoming a de facto tool in many organizations' security arsenal, but which tool or tools you need to maintain the surety of your environment must be considered carefully in terms of its business justification.

For more information:

This was last published in September 2009

Dig Deeper on Web authentication and access control